In this short article, I want to share with you a very simple script that may save the day.
IntroIt is not a secret that attackers prepare for the phishing attacks, especially for spear phishing. Spear phishing is a phishing attack specifically designed against an individual or business. Usually, the aim of an attack to make you act as an attacker wanted to (e.g. click a link, open an attachment, etc). To achieve it an attacker tries to imitate a legitimate activity as good as possible. For example, the common case is using a company's official email signature format or even a mail template from an internal company portal.
Also, I am sure you already know, attackers love to use domain names indistinguishable from the company's domain name. This is the thing we can use to be a step ahead. We have to generate the list of possible domains that an attacker may register for usage and periodically check DNS records of the domains from the list. Once we find a new domain, we have good chances to be prepared for an attack.
I made a simple Lambda function that checks domains and sends a notification via SNS once a valid record was found (link). To simply deploy the function I also made a CloudFormation stack. You may use the link as
Amazon S3 template URL.
After the stack is created, in function environment variables you have to specify the following:
- SNS Topic ARN
- Add domains to the list. You may use [dnstwist](https://github.com/elceef/dnstwist) to generate such a list.
$ dnstwist.py --format idle domain.name > out.txt
Other waysI already mentioned dnstwist, it has much more functionality you may utilize for your needs.
Also, there is a web version of the tool - dnstwister.report. You may easily subscribe to new
Someday such a simple thing may save a lot of time in the future which you spend on an investigation.
Have a good day! ☀️
Photo by Sebastian Pena Lambarri on Unsplash